Journalists from ZDNet drew attention of Mozilla engineers to numerous abuses of the Firefox Send service, which was actively used to distribute the malware. Mozilla temporarily suspended the Firefox Send service (for the time of investigation), and the developers promise to improve it and add a “Report Abuse” button.Firefox Send was launched in March 2019. The service is a private file hosting service and allows Firefox users to share files. All files downloaded and transferred via Firefox Send are stored in encrypted form, and users can set the retention period for files on the server, as well as set the permissible number of downloads before this “expiration date” expires. The service was available to all users at send.firefox.com.
“Although Mozilla engineers planned Firefox Send, thinking about the privacy and security of their users, since the end of 2019, the service has become very popular not among ordinary people, but among malware developers”, – write ZDNet reporters.
In majority of cases, hackers exploit the service in a very simple way: they download the malware payloads into Firefox Send, where the file is stored in encrypted form, and then insert links to this file, for example, in their phishing emails.
ZDNet writes that in the past few months, Firefox Send has been used to store payloads of a wide variety of campaigns, from ransomware to financially oriented malware, from bank Trojans to spyware that attacked human rights defenders. Such well-known hack groups as FIN7, REVil (Sodinokibi), Ursnif (Dreambot) and Zloader abused the service.
British information security expert Colin Hardy explains exactly what factors attract malware authors to the Firefox Send service. So, Firefox URLs are considered reliable in many organizations, that is, spam filters do not detect or block them.
“In addition, attackers do not have to invest time and money in creating and maintaining their own infrastructure if they use Mozilla servers. And Firefox Send encrypts the files, which prevents the work of security solutions, and the download links for the malware can be configured so that they expire after a certain time or number of downloads, which complicates the work of information security experts”, – said Colin Hardy.
The growing number of malicious operations associated with Firefox Send has not escaped the attention of the information security community. Because of this, over the past few months, experts have regularly complained about the lack of a mechanism for reporting abuse or the “Report about a file” button that could be used to stop malicious operations.
While preparing a publication about these problems, ZDNet reporters turned to Mozilla for a comment, wanting to know the organization’s position regarding the placement of malware, as well as the progress in developing a mechanism for reporting about violations.
Mozilla’s response surprised both journalists and information security professionals, as the organization immediately suspended the Firefox Sens service and announced that it was working to improve it.
“We will temporarily take Firefox Send offline while we improve the product. Before starting the [service] again, we will add a violation reporting mechanism to supplement the existing feedback form, and we will also require all users who want to share content using Firefox Send to log in using their Firefox account,” — said Mozilla representatives.
Currently it is unclear when Firefox Send will return online. All links to Firefox Send have stopped working, which means that all malicious campaigns that used the service are also temporarily disabled.
Let me remind you that Firefox Refuses to Support FTP Protocol.